WhiteAcid Wrote:
-------------------------------------------------------
> I have no idea why that form won't submit. It's
> the only form on the page, so document.forms[0]
> refers to it. alert(document.forms[0]) shows the
> correct form yet document.forms[0].submit()
> gives:
> document.forms[0].submit is not a function
> Argh, the problems are mounting on this one and
> yet the free time I have to solve those problems
> just isn't there.

Strange. I appreciate your looking. I did not intentionally do anything to mess with the DOM on that page. I'll look at it.

I had a similar problem with form fields once were document.forms[0].field returned the correct reference but document.forms[0].field.focus() returned not a function.

OK, I've fixed stuff, I know there are still things to fix, but what are your opinions so far?

1. If the form is far to the left, the box will no longer appear off screen
2. There may be a yellow bar at the top centre of the screen, that "XSS form" image represents XSSing the current page's querystrings. The bar is only visible if there are any querystrings.
3. As rdivilbiss just suggested, I've edited the submitForm function so it'll hopefully work better.
4. Even though I couldn't reproduce the bug I've hopefully prevented the command being added to the tools menu multiple times per page.
5. You can now apply XSS vectors globally (within a form) or to only a specific field in that form.

Still to do:
1. Escape the vector, especially when XSSing the querystring
2. Move the menu upwards if it was created off the bottom of the screen.
3. Fix issue when using more than one XML file which can result in the vectors and their source not matching up.
4. Make the yellow bar look nicer.
5. Figure out why the button isn't visible for all forms on all pages.

Edit: so you don't need to load the previous page, the script is here: http://www.whiteacid.org/misc/XSS_assistant.user.js

Of course that'll limit the dragging to the top of the menu but that's acceptable for me :).

Also currently there doesn't seem to be a way around the multiple menu entries some users might have, what I found much easier was to remove them all together and just make the script do it's thing if it's activated. It's much faster to disable it from the GM bottom menu too :P

I've changed the online copy so that you can actually use any of the options in the select box. If you want to do what virus does and simply disable the whole menu thing, just comment out the lines

Edit: I'm talking to him on IRC and we've (mainly he) figured out why the image doesn't always show. Essentially it's due to that people are unable to code correct (X)HTML.

He's also made it so that if the form only has one input, then it doesn't add the #GLOBAL# option to the select box, something I haven't thought of. He also fiddled with some CSS so the menu doesn't inherit some formatting from the form. I'll edit the online copy later, at least you know it's coming.

Anyway... virus was up late fixing bugs. I'll test them, upload the changed and edit this post in a sec.

Edit: I've updated the online copy. The menu will now move back onto the screen if the button is so low down or so far to the right that the menu would appear off screen. Also, and more importantly, the image should now be visible for all forms.
It will quite seriously mess up the form, but that's better than the image not even being there. If you want to see what virus did, read his post here

Another edit: I've uploaded yet another copy which changes type="hidden" to type="text" when you apply the vector to a single element as opposed to globally.

And another: Now if there is only one element in the form the #GLOBAL# option won't be there. Also there was some small tidying up of the code, found one duplicate line, small stuff like that.

No, but you can do that yourself if you want. There is something out there to convert greasemonkey scripts to extensions. I don't want to do that as having it as a greasemonkey script means it uses less resources than having each of my own scripts as extensions. Also keeping them as .user.js files means they are simpler to edit.

I created another xml file which carries some more (mostly reflective) xss vectors. I use XSS assistant on a daily basis for my job because i think of it as an awesome time saver and i think it could be improved by giving it more vectors to use..

It's taken way too long, but I finally got around to making the new version.
1. Works with xssed.com, allowing you to report PoCs straight to their DB
2. Uses .mario's XML file too
3. Cleaned code just a little

The new version still hasn't been tested by anyone but me and Kevin, the owner of xssed.com so I would greatly appreciate testing, note though that Kevin would not appreciate spamming his DB.

As always the script is located here: http://www.whiteacid.org/greasemonkey/#xss_assistant

WhiteAcid Wrote:
-------------------------------------------------------
> It's taken way too long, but I finally got around
> to making the new version.

I've used this tool since you first released it (on real, very serious web application vulnerability assessments). Can't wait to try out the new version. The plug for XSS Assistant in "XSS Attacks" is great.

However, in "XSS Attacks", they [probably pdp] seem to promote using Technika to autoload bookmarklets over the Greasemonkey [autoload] approach, citing bookmarklets as portable and Greasemonkey as Firefox only. However, I know otherwise that Greasemonkey scripts work in Opera and can also be made to work in other browsers. I haven't tried XSS Assistant in Opera, although that would be interesting.

> 2. Uses .mario's XML file too

Oh how I wish that CAL9000 also used .mario's XSS XML file as well (it should be easy to import). Speaking to Opera above, CAL9000 seems to work best in Opera (although I do use multiple versions of IE, FF, and Opera when testing for XSS). The autoattack features in CAL9000 are great, but the reporting and use is kind of weak.

With the new version of your tool, WhiteAcid, I really think you have the best tool for testing for XSS out there (having tried a huge number myself), although writeups on Greasemonkey automation and integration with other tools would be nice. I found myself copying from XSS Assistant and into Burp a lot way back when - so I'll have to come up with a faster method, probably based off of other ideas from the book, "XSS Attacks".

Thanks for those comments ntp.
I do know that some greasemonkey scripts can be imported straight into Opera, but do to so with this script would mean loosing functionality if it's even possible. I use functions specific to GM that allow for cross domain AJAX. I use this to load the XML files and to submit stuff to XSSed.com. Beside that, the way you start or stop activation of this tool is GM specific, but that part could of course just be re-written.

Perhaps it could be made without GM specific functions if it had the XML files inside itself and instead of automated submission to XSSed it'd just redirect you to the form and pre-fill all the values by adding the variables to the querystring (we'd need to get the folks who run XSSed to set that functionality up for us).

You have the book XSS Attacks? I pre-ordered that thing back in February and it's still not here. Due date for amazon.co.uk is 1 Jun 2007 *sigh*.

What specifically do you mean by "writeups on Greasemonkey automation"?

CAL9000 will not be continued, unfortunately
The major problem is that modern browsers are to restrictive in using XMLHttpRequest. My experiance is that latest mozilla (1.7.x) works fine.
Beside the XSS cheat seat, the En-/Decoder is one of its best features, AFAIK someone builds a new tool about that. Input welcome.

.mario Wrote:
-------------------------------------------------------
> @ntp: I use cal9000 only for encoding issues -
> never tried the auto attack feature. Unfortunately
> the project seems stalled since end of 2006. The
> Wiki page seems to wait for user feedback
> though...

i don't think any more work is planned, so it looks DOA. the owasp spring of code allotments were already announced and I don't see anything about CAL9000 or any of the project leaders named. i'll try to find out more.

WhiteAcid Wrote:
-------------------------------------------------------
> What specifically do you mean by "writeups on
> Greasemonkey automation"?

It would be nice if your scripts (or similar ones) were able to detect parameters/forms, add the xss tests, submit the request, watch the response (and/or crawl the site for responses showing the xss, etc), et al. iow: do all the work for me.

Ah. I had actually thought about that myself. I figured I could have a GM function such as xss_test() { alert('xss works') }, write that into the page using GM (before even the onload event would fire). Then it'd have an edited version of the XSS location in rsnake's XML file which instead or running an alert() tries to run that function. It'd then inject this into a form (inside a hidden iframe). It is probably very possible.

Due to crappy testing the reportPoC() didn't actually work properly. I just had to escape() some values, I've reuploaded. Please update the script.

Edit: slightly later I made another fix. I really should implement something in this so it calls home to check for new versions, but I know you guys don't want me to be able to track what sites you use this on.

Truly the peak of irony; this tool was vulnerable to XSS itself. It was possible for a web admin (who is able to create forms) to create one which runs JS when you try to XSS his forms. Create a page with the following form on it:
<form name="asd<img src=fail onerror=alert(1)>">a</form>
Then hit the little icon to bring up the window for this tool and you'll be XSSed. This same bug existed in more than one place, also in the form's action attribute which executes when you hit "Show form information". It'd able work in the form's children's name attributes as it uses that to build the select box.

I've now used the JS function escape() to protect you. Please update the script.

Yes this was bad, yes, I shouldn't have done this. I do apologize. At least to my knowledge this hasn't been abused and if it has at least the attacker didn't get access to the GM API allowing cross domain requests.

Which are the new ones? I really should know this, unfortunately I didn't memorise the vectors :p
There's a really bad storm here atm cutting my Internet off every few minutes, for once I'm happy this forum doesn't bind my session to an IP or I'd have to keep logging back in all the time.